RE: Membership Provider Woes

Steven, thanks for all your help. I have one more question as a point of
clarification. You set the FormsAuth ticket on the Login_LoggingIn. Is
there any reason you did that instead of Login_LoggedIn? You're setting a
cookie regardless of whether the user's authentication failed or not. I
guess it's a moot point since we have to do a double check anyway.

"Steven Cheng[MSFT]" wrote:

Thanks for your reply Chris,

Regarding on your new questions ,here are my understanding on this:


The FormsIdentity class you reference, is that a
custom class I have to write that implements IIdentity or is it just
available.
======================================
Sure, it is a built-in class which is used to represent security identity
in forms authentication context. This is used in both ASP.NET 1.x and 2.0
by the forms authentication Module, it will be automatically created in
each request(as long as the current user has been authenticated).


Second, how do I actually store the custom information? From the looks of
it, I pass infomration into the constructor of the
FormsAuthenticationTicket,
but which parameter does it? Is it the "1" that you pass in?
=========================================
No. "1" is the version number. It is the "some custom data want to store in
ticket...." which can be any custom data you want to store in the
authentication ticket. Custom data can only be string value, it is also
limited by the natural of cookie. You find the clear definition of the
Ticket class's constructor below:

#FormsAuthenticationTicket.FormsAuthenticationTicket(Int32, String,
DateTime, DateTime, Boolean, String, String) Constructor
http://msdn2.microsoft.com/en-us/library/kybcs83h.aspx



How can I easily access this information later? It looks like once you
pass
the information into the cookie, you can pull it out using
identity.Ticket.UserData. However, isn't this just implementing a custom
IIdentity...which is kind of the asp.net 1.1 way?
===========================================
As I have mentioned, FormsIdentity is a built-in class dedicated for
representing forms authenticated user identity, this is used from 1.x to
2.0. You can easily get this identity in each page request through
HttpContext.Current.User. Also, ASP.NET 2.0 is using the same means to
create forms authentication ticket and store it in cookie, and retrieve it
back in each request(in FormsAuthentication httpmodule). There is no
difference on these code, the only difference is that ASP.NET 2.0 have done
this for you internally and save you from coding these yourself. So what
you need to do is just add the custom string data at user's
login/authentication time and then access it through Context.Use whenever
you need it.


Doens't the membership provider set a forms auth cookie for me
automatically? Will setting the cookie manually cause a problem?
============================================
Well, this is a good question. ASP.NET 2.0 add the membership service which
can help simplify the custom security/user management. However, remember
that membership provider and forms authentication are totally separated,
you can use forms authentication without membership service(do it yourself
as ASP.NET 1.X). Or you can simply call membershp API without enabling
forms authentication.

No, "setting cookie manually" won't cause any problem, ASP.NET 2.0
FormsAuthentications class use the same code to generate the ticket and add
it into resposne cookie collection(default behavior). Here is the
diassembled code from reflector

FormsAuthentication.GetAuthCookie>>>>>>>>>>>>>
private static HttpCookie GetAuthCookie(string userName, bool
createPersistentCookie, string strCookiePath, bool hexEncodedTicket)
{
FormsAuthentication.Initialize();
if (userName == null)
{
userName = string.Empty;
}
if ((strCookiePath == null) || (strCookiePath.Length < 1))
{
strCookiePath = FormsAuthentication.FormsCookiePath;
}
FormsAuthenticationTicket ticket1 = new FormsAuthenticationTicket(2,
userName, DateTime.Now, DateTime.Now.AddMinutes((double)
FormsAuthentication._Timeout), createPersistentCookie, string.Empty,
strCookiePath);
string text1 = FormsAuthentication.Encrypt(ticket1, hexEncodedTicket);
if ((text1 == null) || (text1.Length < 1))
{
throw new
HttpException(SR.GetString("Unable_to_encrypt_cookie_ticket"));
}
HttpCookie cookie1 = new
HttpCookie(FormsAuthentication.FormsCookieName, text1);
cookie1.HttpOnly = true;
cookie1.Path = strCookiePath;
cookie1.Secure = FormsAuthentication._RequireSSL;
if (FormsAuthentication._CookieDomain != null)
{
cookie1.Domain = FormsAuthentication._CookieDomain;
}
if (ticket1.IsPersistent)
{
cookie1.Expires = ticket1.Expiration;
}
return cookie1;
}


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Since you need to add custom data here, you need to manually create the
Ticket and add it into response's Cookie collection. All the API used here
are public ones, nothing incorrect.


Is there any way to intercept the data from the Membership provider? As it
stands, the membership provider will go to the database to authenticate the
user, then I will have to go to the database manually again just to get
their
user information. I tried finding an event that would return the data as
with an objectdatasoure, but I haven't found any. Is there any way to
avoid
this extra call that the Membership provider is doing anyway.
================================================
Membership API has nothing to do with forms authentication. Membershp API
just help retrieve or update the data in membership database tables. If
you're using forms authentication and want to store cached data through
forms authentication ticket, you should use forms authentication API rather
than membershp API.

If there is anything unclear, please feel free to let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.






.

Relevant Pages

  • RE: Forms authentication cookie handling question (C#)
    ... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Membership Provider Woes
    ... cookie regardless of whether the user's authentication failed or not. ... how do I actually store the custom information? ... Doens't the membership provider set a forms auth cookie for me ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... programmatically generate forms authentication ticket and set it in ASP.NET ... You use the Login control's "Authentication" event to do the user ... LoginControl's default code logic to generate authentication cookie. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Membership Provider Woes
    ... in forms authentication context. ... how do I actually store the custom information? ... limited by the natural of cookie. ... Doens't the membership provider set a forms auth cookie for me ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Forms authentication cookie handling question (C#)
    ... I'm creating some Forms authentication for a section of my website. ... I think I've even got cookie storage working, ... authentication ticket, ... FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( ...
    (microsoft.public.dotnet.framework.aspnet)